Community discussions

MikroTik App

Search found 35 matches

by marwooj
Mon Jul 16, 2018 11:25 pm
Forum: General
Topic: Ikev2 + eap radius
Replies: 9
Views: 4870

Re: Ikev2 + eap radius

HI, would you point me to link with how to guide of ipsec for mobile users?
by marwooj
Sat Mar 17, 2018 9:08 am
Forum: General
Topic: Routing IPsec HUB with two S2S remote offices
Replies: 3
Views: 439

Re: Routing IPsec HUB with two S2S remote offices

HUB needs to add matching policy for each peer
No access to HUB admins, so I will just create direct As2sB.
by marwooj
Fri Mar 16, 2018 6:25 pm
Forum: General
Topic: How to setup DSCP 46 Priority for voip?
Replies: 37
Views: 14468

Re: How to setup DSCP 46 Priority for voip?

In practical terms, jitter values below 100 ms rarely cause voice drop-outs as most VoIP equipment has de-jittering buffers which handle that, but such high values already cause some discomfort as 200 ms round-trip delay is at the edge of acceptability.
How to measure jitter ?
by marwooj
Fri Mar 16, 2018 6:15 pm
Forum: General
Topic: Routing IPsec HUB with two S2S remote offices
Replies: 3
Views: 439

Routing IPsec HUB with two S2S remote offices

Hi, I have 2 mikrotiks routers connecting with Cloud HUB that provide VM for us. Both mikrotiks use IPsec S2S to HUB. All stations on both sites can reach VM in HUB. SiteA 192.168.2.0/24 s2s --> HUB 192.168.1.1/24 <-- s2s 192.168.3.0/24 SiteB How can I add routes to mikrotiks so sites can access eac...
by marwooj
Tue Mar 13, 2018 11:19 am
Forum: Useful user articles
Topic: Using RouterOS to QoS your network - 2020 Edition
Replies: 176
Views: 225818

Re: Using RouterOS to prioritize (Qos) traffic for a Class C net

So to make LEVEL_B and LEVEL_C always lower priority than LEVEL_A I will change parent of B and C to A? Yes but not only, you must also give the LEVEL_B queue the lowest priority among all the other child queues of LEVEL_A. And LEVEL_C must have the lowest priority among all child queues of LEVEL_B...
by marwooj
Mon Mar 12, 2018 3:59 pm
Forum: Useful user articles
Topic: Using RouterOS to QoS your network - 2020 Edition
Replies: 176
Views: 225818

Re: Using RouterOS to prioritize (Qos) traffic for a Class C net

I also have ipsec s2s not for the purpose of VoIP, to completely different site. It is mostly RDP.
Since IPsec s2s is also UDP (I think), how I can put it "to not disturb" my VoIP but not to go into LEVEL_C / OTHER?
by marwooj
Mon Mar 12, 2018 3:10 pm
Forum: Useful user articles
Topic: Using RouterOS to QoS your network - 2020 Edition
Replies: 176
Views: 225818

Re: Using RouterOS to prioritize (Qos) traffic for a Class C net

Looks like my PBX boxes are adding DSCP = 40 already, I just afraid that by putting this traffic into VPN will add unnecessary overheat and I will end up with having bigger disaster that I have now. So to make LEVEL_B and LEVEL_C always lower priority than LEVEL_A I will change parent of B and C to A?
by marwooj
Mon Mar 12, 2018 1:47 pm
Forum: Useful user articles
Topic: Using RouterOS to QoS your network - 2020 Edition
Replies: 176
Views: 225818

Re: Using RouterOS to prioritize (Qos) traffic for a Class C net

I think I will forget about putting VoIP into VPN, this definitely sounds to complicated. And I will try to tune the example I have already implemented. Just after I understood how LEVEL_A_ gets priority over LEVEL_B_ and then over LEVEL_C_ :-)
by marwooj
Sun Mar 11, 2018 7:13 pm
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Re: Ipsec site to site nat dilemma [SOLVED]

VoIP and QoS is already a challenge. I have been struggling with this for months now. Perhaps you know answers to my questions about Option 2 QoS from this topic? https://forum.mikrotik.com/viewtopic.php?f=13&t=73214&p=646581&hilit=voip#p646581 https://forum.mikrotik.com/viewtopic.php?f=13&t=73214&p...
by marwooj
Sun Mar 11, 2018 10:20 am
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Re: Ipsec site to site nat dilemma [SOLVED]

Hi, just as a addition I would like to ask if it is reasonable to VoIP into s2s tunnel?
by marwooj
Wed Mar 07, 2018 7:36 pm
Forum: Useful user articles
Topic: Using RouterOS to QoS your network - 2020 Edition
Replies: 176
Views: 225818

Re: Using RouterOS to prioritize (Qos) traffic for a Class C

Implementing VoIP traffic prioritization (Qos) with RouterOS v6 – Option 2
I also do not understand how LEVEL_A_ gets priority over LEVEL_B_ and then over LEVEL_C_.
Would somebody be so kind explain this?
by marwooj
Wed Mar 07, 2018 7:23 pm
Forum: Useful user articles
Topic: Using RouterOS to QoS your network - 2020 Edition
Replies: 176
Views: 225818

Re: Using RouterOS to prioritize (Qos) traffic for a Class C

Implementing VoIP traffic prioritization (Qos) with RouterOS v6 – Option 2

If I have s2s ipsec VPN will it go into "OTHER"?
by marwooj
Sat Mar 03, 2018 12:40 am
Forum: Beginner Basics
Topic: Disable fasttrack
Replies: 7
Views: 23726

Re: Disable fasttrack

HI, so is this #5 rule necessary?
by marwooj
Wed Feb 28, 2018 11:18 pm
Forum: General
Topic: SSTP VPN issue - router WWW GUI not accessable sometimes
Replies: 0
Views: 406

SSTP VPN issue - router WWW GUI not accessable sometimes

I have "working" SSTP VPN for mobile users, except it has no split tunneling works pretty good, but sometimes there is an issue with getting to router GUI WWW over VPN. HTTP is just not responding. Mikrotik support told me that, I have the same IP on two interfaces. That would be /ip address add add...
by marwooj
Fri Feb 23, 2018 7:12 pm
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Re: Ipsec site to site nat dilemma [SOLVED]


Yes, sorry for ambiguous expression. Your rules handle packets forwarded by the router between the other end of the IPsec tunnel and other devices on its local LAN, my rules handle packets received and sent by your router itself.

Great !!! It works !!! Moving on to next issue :-)
by marwooj
Thu Feb 22, 2018 10:40 pm
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Re: Ipsec site to site nat dilemma [SOLVED]

So you need another pair of rules: /ip firewall raw add action=notrack chain=output dst-address=10.13.13.0/24 src-address=\ 10.8.8.0/24 add action=notrack chain=input dst-address=10.8.8.0/24 src-address=\ 10.13.13.0/24 Or you may replace the 10.8.8.0/24 by the individual (/32) address of the router...
by marwooj
Thu Feb 22, 2018 8:05 pm
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Re: Ipsec site to site nat dilemma [SOLVED]

And here is trace part from client: 1 0.000000000 10.13.13.2 10.8.8.1 SSHv2 82 Client: Protocol (SSH-2.0-PuTTY_Release_0.70) Frame 1: 82 bytes on wire (656 bits), 82 bytes captured (656 bits) Ethernet II, Src: Microsof_CLI_MAC (CLI_MAC), Dst: Barconet_DST_MAC (DST_MAC:DST_MAC) Internet Protocol Vers...
by marwooj
Thu Feb 22, 2018 7:00 pm
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Re: Ipsec site to site nat dilemma [SOLVED]

The Log: --- 17:14:30 firewall,info SSH OUT output: in:(unknown 0) out:ether1, proto TCP (SYN,ACK), 10.8.8.1:22->10.13.13.2:49735, len 52 17:14:30 firewall,info SSH OUT output: in:(unknown 0) out:ether1, proto TCP (SYN,ACK), 10.8.8.1:22->10.13.13.2:49735, len 52 17:14:30 firewall,info SSH OUT output...
by marwooj
Thu Feb 22, 2018 2:21 pm
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Re: Ipsec site to site nat dilemma [SOLVED]

The bad news is that unless it is as simple as that the "action=accept chain=input protocol=tcp dst-port=22 ipsec-policy=in,ipsec ... " rule is really disabled as your "/export" suggests, I cannot see any reason at this end of the tunnel why the ssh access to the router from the remote side should ...
by marwooj
Wed Feb 21, 2018 9:40 pm
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Re: Ipsec site to site nat dilemma [SOLVED]

# RouterOS 6.41.2 /interface bridge add admin-mac=MAC arp=proxy-arp auto-mac=no name=bridge1 /interface ethernet set [ find default-name=ether1 ] comment=WAN set [ find default-name=ether2 ] arp=proxy-arp name=ether2-master set [ find default-name=ether3 ] arp=proxy-arp set [ find default-name=ethe...
by marwooj
Wed Feb 21, 2018 8:53 pm
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Re: Ipsec site to site nat dilemma [SOLVED]

I will provide "hide-sensitive".
by marwooj
Wed Feb 21, 2018 7:07 pm
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Re: Ipsec site to site nat dilemma [SOLVED]

No luck whit this:
1  chain=input action=accept protocol=tcp src-address=10.1.101.0/24 dst-port=22 log=no log-prefix="" ipsec-policy=in,ipsec 
2  chain=output action=accept protocol=tcp dst-address=10.1.101.0/24 src-port=22 log=no log-prefix="" ipsec-policy=out,ipsec
by marwooj
Wed Feb 21, 2018 5:41 pm
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Re: Ipsec site to site nat dilemma [SOLVED]

PC A on site LAN A is trying to connect with ssh to router B on site LAN B, all hosts from LAN B are accessible from PC A, except router B. PC A can ping router B, but not ssh. PC A can go to http 80 on PC B that is on site LAN B.
by marwooj
Wed Feb 21, 2018 2:20 pm
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Re: Ipsec site to site nat dilemma [SOLVED]

Great, just one more question, when I am on my remote network let say with Remote Desktop on some host inside that network an I pretend It is my local site, I am not able to ssh to router that is on opposed site. Everything else is working, all other remote IP are accessible. And I can ping router r...
by marwooj
Tue Feb 20, 2018 9:41 pm
Forum: General
Topic: Ipsec site to site nat dilemma [SOLVED]
Replies: 26
Views: 4911

Ipsec site to site nat dilemma [SOLVED]

I I have working site to site ipsec vpn. Just going trought configuration and compeering it to documentation: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel I found there should be nat on bouth routers that I do not have in mines. I do have: /ip firewall raw add action=notr...
by marwooj
Mon Feb 19, 2018 9:51 pm
Forum: General
Topic: VoIP / SIP big problems [SOLVED]
Replies: 17
Views: 10186

Re: VoIP / SIP big problems [SOLVED]

The "to-ports=" is also taken from documentation.
by marwooj
Mon Feb 19, 2018 9:43 pm
Forum: General
Topic: VoIP / SIP big problems [SOLVED]
Replies: 17
Views: 10186

Re: VoIP / SIP big problems [SOLVED]

Hi, does the order of rules matters?
by marwooj
Mon Feb 19, 2018 9:04 pm
Forum: General
Topic: VoIP / SIP big problems [SOLVED]
Replies: 17
Views: 10186

Re: VoIP / SIP big problems [SOLVED]

how about this one for RTP, is it ok?:
chain=dstnat action=dst-nat to-addresses=192.168.1.23 to-ports=8100-8300 protocol=udp in-interface=ether1 dst-port=8100-8300 log=no log-prefix="RTP"
by marwooj
Sun Feb 18, 2018 2:42 pm
Forum: General
Topic: VoIP / SIP big problems [SOLVED]
Replies: 17
Views: 10186

Re: VoIP / SIP big problems [SOLVED]

Don't see any interfaces on your dst nat rules, add your WAN interface as "in" interface on these rules
Added in-interface=ether1 on NAT, hope it saves my life.

Should that one:
https://wiki.mikrotik.com/wiki/Manual:I ... forwarding

be updated?
by marwooj
Thu Feb 15, 2018 7:06 pm
Forum: General
Topic: VoIP / SIP big problems [SOLVED]
Replies: 17
Views: 10186

Re: VoIP / SIP big problems [SOLVED]

So I assume that my NAT rules are fine?
by marwooj
Thu Feb 15, 2018 4:33 pm
Forum: General
Topic: VoIP / SIP big problems [SOLVED]
Replies: 17
Views: 10186

VoIP / SIP big problems [SOLVED]

I do have internal PBX that is providing land lines and some internal extensions for remote offices. The problem is that I often have SIP registration problem to my remote SIP provider. I do see it is trying to register but packet are lost just after prerouting. prerouting: in:bridge1 out:(none), sr...
by marwooj
Sat Nov 25, 2017 7:03 pm
Forum: General
Topic: VPN IPsec remote LAN works, except router
Replies: 1
Views: 373

VPN IPsec remote LAN works, except router

Hi, I have set up IPSec VPN for road warriors as wiki guided, I am able to reach remote LAN hosts except router itself :-(

What I could make wrong?
by marwooj
Wed Nov 15, 2017 11:48 am
Forum: General
Topic: OpenSSL and OpenVPN
Replies: 6
Views: 1670

OpenSSL and OpenVPN

Hi, witch version of OpenSSL should I use to generate server and clients certificates to make OpenVPN work on hEX (RB750Gr3) 6.40.5?
by marwooj
Mon Nov 13, 2017 1:32 am
Forum: General
Topic: OpenVPN diskonecting
Replies: 0
Views: 354

OpenVPN diskonecting

Hi, I was trying to set up OpenVPN server on hex v3 router fallowing wiki. No way to connect, errors I am getting: lient: Connection reset, restarting [0] Sun Nov 12 22:31:19 2017 us=380382 TCP/UDP: Closing socket Sun Nov 12 22:31:19 2017 us=380498 SIGUSR1[soft,connection-reset] received, process re...
by marwooj
Mon Nov 06, 2017 10:52 am
Forum: RouterBOARD hardware
Topic: RB750Gr3
Replies: 0
Views: 434

RB750Gr3

Hi, would this one handle ikev2 ipsec AES256 and some 10 OpenVPN mobile users with NAT and little QoS on 100Mbps link?